CVE-2018-1000030
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
Python 2.7.14 es vulnerable a un desbordamiento de búfer y a un uso de memoria dinámica (heap) previamente liberada. Las versiones de Python anteriores a la 2.7.14 también podrían ser vulnerables y, aunque esto aún no se ha confirmado, las versiones 2.7.17 y anteriores de Python también podrían ser vulnerables. La vulnerabilidad aparece cuando múltiples hilos gestionan grandes cantidades de datos. En ambos casos, ocurre esencialmente una condición de carrera. Para el desbordamiento de búfer, el hilo 2 crea el tamaño para un búfer, pero el hilo 1 ya está escribiendo en el búfer sin saber cuánto escribir. Por lo tanto, cuando se procesa una gran cantidad de datos,es muy fácil provocar una corrupción de memoria mediante un desbordamiento de búfer basado en memoria dinámica (heap). En el caso del uso de memoria previamente liberada, Hilo3->Malloc->Hilo1->Liberación->Hilo2-reutiliza la memoria liberada. El PSRT ha indicado que esta no es una vulnerabilidad de seguridad debido al hecho de que un atacante debe ser capaz de ejecutar código. Sin embargo, en algunas situaciones, como la de las funciones como servicio, esta vulnerabilidad puede ser empleada por un atacante para infringir un límite de confianza, por lo que DWF cree que este problema debe tener un CVE.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-02-08 CVE Reserved
- 2018-02-08 CVE Published
- 2020-02-10 First Exploit
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-416: Use After Free
- CWE-787: Out-of-bounds Write
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view | Third Party Advisory | |
| https://www.oracle.com/security-alerts/cpujan2020.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/tylepr96/CVE-2018-1000030 | 2020-02-10 |
| URL | Date | SRC |
|---|---|---|
| https://bugs.python.org/issue31530 | 2020-08-24 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/201811-02 | 2020-08-24 | |
| https://usn.ubuntu.com/3817-1 | 2020-08-24 | |
| https://usn.ubuntu.com/3817-2 | 2020-08-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python Search vendor "Python" | Python Search vendor "Python" for product "Python" | <= 2.7.14 Search vendor "Python" for product "Python" and version " <= 2.7.14" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||